SPNEGO question

Pascal Jakobi pjakobi at yahoo.fr
Tue Nov 10 03:05:47 EST 2015


Got it. Thxs.
Le 09/11/2015 23:39, Rick van Rein a écrit :
> Hi Pascal,
>
>> I was able to have it to work (with firefox) when calling simple URI
>> such as http://host.domain.tld but not when calling
>> http://host.domain.tld/test_dir.
> That surprises me.  I've been putting host.fqdn.names and .domain.names
> into the network.negotiate-auth.trusted-uris field in about:config and
> not full URIs as the field name suggests, so I wonder how the path could
> be of influence.
>
>> I did change the negotiate URI field in firefox configuration,
> You were trying to setup the path in the trusted-uris field?  That is
> not the idea, I think.
>
> The use of trusted-uris is to setup hosts that may receive the Kerberos
> tickets, and the path underneath is hardly considered a distribution
> across operational boundaries, so it has no real impact on trust.
>
> If your intention is to only pickup the ticket for certain paths, then
> you should leave the trusted-uris set to the entire webhost, and setup
> the server to only request SPNEGO authentication for the paths that it
> considers protected resources.
>
>> but did
>> not touch the service keytab (HTTP/<host>). My guess is that the problem
>> is there...
>>
> You cannot change the service keytab for paths; it only mentions the
> service name and the server hostname.
>
>> Does this mean that in reality SPNEGO is limited to vrtual hosts ?
>>
> Not sure what you're asking.  SPNEGO trusted-uris on FireFox are setup
> for hostnames AFAIK, and within a server you get to choose when to
> trigger SPNEGO by demanding authentication.
>
>> If someone could clarify, this would be more than useful...
>>
> I hope this helps.
>
>
> Cheers,
>   -Rick
>

-- 
Pascal Jakobi <mailto:pjakobi at yahoo.fr>
116 rue de Stalingrad
93100 Montreuil, France
Tel : +33 6 87 47 58 19


More information about the Kerberos mailing list